httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] Enabling ECDHE ciphers
Date Fri, 18 Apr 2014 16:14:32 GMT
Igor,

On 4/17/14, 8:56 PM, Igor Cicimov wrote:
> 
> On 18/04/2014 2:30 AM, "Hanno Böck" <hanno@hboeck.de
> <mailto:hanno@hboeck.de>> wrote:
>>
>> On Thu, 17 Apr 2014 12:27:37 -0400
>> Christopher Schultz <chris@christopherschultz.net
> <mailto:chris@christopherschultz.net>> wrote:
>>
>> > I'm trying to enable (and prefer!) ECDHE ciphers for clients that can
>> > support them. I've done the obvious:
>> [...]
>> > I'm running httpd 2.2.23
>>
>> That's your problem. Get rid of that old cruft. You'll need apache 2.4
>> (for that and for many other improvements regarding ssl encryption).
>>
> No you don't i have 2.2 with latest openssl-1.0.1g on all my servers and
> TLSv1.2 and ECDHE ciphers are supported.

I checked, and even though I have the OpenSSL 1.0.1g package installed,
it appears that httpd was compiled against OpenSSL 1.0.0. When I look at
the start up log, it says:

[Mon Apr 14 15:49:34 2014] [notice] Apache/2.2.23 (Unix) DAV/2
mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured --
resuming normal operations

On another test server, I upgraded to the latest 2.2.x httpd I can get
from Amazon, which is 2.2.26. I re-started and still can't seem to use
the ECDHE algorithms.

On that same (second) test server I upgraded to httpd 2.4.9. Here is the
startup log message there:

[Fri Apr 18 15:53:26.330856 2014] [mpm_prefork:notice] [pid 15337]
AH00163: Apache/2.4.9 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.10
mod_jk/1.2.40 configured -- resuming normal operations

I'm now able to use the ECDHE ciphers.

Everything appears to be dynamically-linked, so I can't understand why
2.2.x reports it's running with OpenSSL 1.0.0 when I clearly have 1.0.1
installed. This is almost certainly an Amazon-Linux-related thing if you
were able to get ECDHE ciphers working on 2.2.x.

I wonder, what does your startup string say about OpenSSL?

The good news is that I really did only have to put it in my ciphers list.

Thanks,
-chris


Mime
View raw message